Facing Critical Risks and Threats to Compliance

Today we bring you an interview between Maurice Gilbert, CCI’s CEO, and Galina Datskovsky, CEO of Vaporstream, a leading provider of secure and compliant messaging offering best-in-class infrastructure enabling companies to meet complex bring your own device (BYOD) and information governance requirements.

Maurice Gilbert: How did you get started on a career in compliance?

Galina Datskovsky: At my first software company, we were writing a record management application that required in-depth information governance knowledge, and I decided to learn everything I possibly could about it in order to produce a better product. Then I got involved in various associations including ARMA, and I decided to join the board of ARMA International. Over time, I’ve developed more and more expertise in compliance policies, compliance monitoring and compliance software.

MG: Who helped shape your views?

GD: The associations, particularly ARMA, were extremely helpful for me in terms of shaping my views. As has been the analyst community. I’ve worked very closely with Gartner, Forrester and 451 Group, and that’s been tremendous from my perspective. I also work a lot with various legal authorities including the Sedona Conference, which has been pretty instrumental – particularly former judge Ron Hedges, who I’ve worked very closely with on various papers. He has been very influential.

MG: How do you stay current on ethics and compliance issues?

GD: Staying current means keeping up with current publications. I do this through ARMA, the Sedona Conference, analyst research and by reading the various relevant publications including Corporate Compliance Insights. I also organize and attend events that relevant organizations put on. One such organization is the Executive Women’s Forum (EWF), of which I am a part. I am also a member of the EWF Advisory Board.

MG: What are some of the significant issues facing CCOs, Risk Managers, etc.?

GD: There are many issues, and it all depends on the organization and industry you’re in. There are always changing regulations one has to consider, as well as the changing landscape of an organization – for example, if it’s acquiring another organization or becoming global. One issue that is particularly significant is the changing nature of technology. What I find is that it’s very hard for CCOs to keep up with the advances in technology. This includes the official technology that’s brought into the organization, as well as what’s called the shadow IT – technology that’s brought in by individual people behind the organization’s back. What employees are using outside the workplace is often very different than what’s deployed within the office. When it’s so easy to provision applications and have shadow IT, it makes ensuring compliance (both industry and ethical) and following security standards very difficult. Even if you have official systems in place and don’t have shadow IT, making sure that all your considerations are taken into account when those are used, rolled out, etc., is a really challenging situation.

MG: What do you believe is the optimal reporting structure for the CCO and why?

GD: I generally favor the CCO being in the legal department because I think that compliance and legal really go hand in glove. Oftentimes laws and regulations drive compliance, so I think the legal department is a natural fit for the CCO.

MG: How do you effect change within your client’s environment?

GD: To effect change, you need to understand the culture of your client’s organization. You need to understand the needs and technology being used and who actually regulates the client. Once that is understood, you have to put that all together and make a reasonable road map that’s divided into manageable pieces. The only way you can effect anything and not paralyze an organization into inactivity because of the scope and breadth of things is to say, “let’s attack a critical problem with a good ROI that we could affect, show benefit, show better compliance, ensure outcome and go from there.” If you create a big road map and attack small chunks, that’s the best way to effect an environment.

MG: How do you see the CCO role evolving within the next three years?

GD: I see the CCO role as almost a bridge between IT, security, legal and the business. I think organizations would benefit if the CCO role evolved into a mediator between all of those units. Making sure there’s compliance, but also understanding where the business is coming from and being able to manage the risk vs. reward based on the corporate culture.

MG: What do you see as the greatest business risks facing companies today?

GD: There are many business risks facing companies today. If we talk about risks in light of compliance specifically, I think the greatest risk is the wild field of communication. Communication is still taking place with old technology, like email. We saw from this year’s election how easy it is to hack email and leak it, especially when the email is not under your control anymore. I think one of the biggest threats in terms of compliance is the proliferation of content and inability to secure content, especially when it leaves an organization’s perimeter.

MG: What do you see as the greatest regulatory risks facing companies today?

GD: It all depends on the business you’re in. Some companies are really not regulated and other companies are supremely regulated, and thus their regulatory risks would be completely different. In general I think companies need to know what their culture, landscape and requirements are and tailor their regulatory program to the actual needs. The risk comes by not understanding these elements and creating regulatory programs based on some ideal standard or a total lack thereof.

GD: Executives in the Chief Compliance Officer, Chief Audit Officer and Chief Risk Officer roles need to understand the various pillars – like business need, risk, landscape, corporate culture – and make sure they take all of it into account. They need to make sure that all of the stakeholders are represented and have buy-in and that there’s some agreement between the stakeholders as to what the priorities are. If they can accomplish that, they would be very prepared to face those risks. It’s also important to note that this is a continual process rather than a one-time deal – this is something you do and revisit and improve all the time. That’s really key to preparing for risks.

MG: How does your company help its clients mitigate risk?

GD: Vaporstream provides secure, ephemeral and compliant mobile messaging. We address that key problem of untethered content proliferation while also addressing the idea of a new technology being used for business – particularly texting for business.

In today’s mobile world, almost every person communicates instantly. The reality is that many companies outlaw texting, yet people still do it. It’s very important to not fall into the trap of “I have a policy, therefore I’m protected.” Having a policy which might say “we do not allow texting,” won’t protect an organization from the fact that everyone in the company texts anyway. Since texting is the next wave of communication, having mobile messaging that is secure and controlled by the sender, and that can disappear from devices but be recorded for corporate compliance, is extremely important. Rather than saying “no” to texting in general, organizations can say “yes” and, with the appropriate product, mitigate the risk of unmanaged communication and someone hacking into communication. That’s where Vaporstream comes in.

MG: What new service offerings do you have in the queue?

GD: We’re constantly revising our key offering. Our key offering is very simple, but when you talk about simple, there’s a lot of complexity behind it. We already allow many different types of attachments, but we’re looking to enable sending videos and other forms of media securely and mitigating risk in that regard. You’ll also see more from us becoming an integral part of the corporate landscape since secure storage is a big deal for many organizations and is key to the success of compliance programs.

MG: Compliance departments are often asked to accomplish their work with limited resources… do you see this situation changing any time soon?

GD: I don’t see that changing. The state of the business world today means that everyone needs to do more with less.

Dr. Galina Datskovsky is CEO of Vaporstream®. She has also served on the board of multiple startups, assisting with strategy, and was formerly Senior Vice President of Information Governance at Autonomy, an HP Company. She served as Chair, President, President Elect and Director of ARMA International (2007-2013) and as a Fellow in 2014. Galina also served as Senior Vice President of Architecture at CA Technologies, where she was responsible for corporate-wide architecture and design initiatives; General Manager of the Information Governance Business Unit; and a Distinguished Engineer. Galina joined CA in 2006 with the acquisition of MDY Group International, where she served as Founder and CEO. Prior to founding MDY, Galina consulted for IBM and Bell Labs and taught at the Fordham University Graduate School of Business and the Graduate School of Arts and Sciences at Columbia University.

Galina is a Certified Records Manager (CRM) and is recognized around the world as an expert in information governance and associated technologies. She received her CRM certification in 2004 and earned doctoral and master’s and bachelor’s degrees in Computer Science from Columbia University. She is the recipient of the prestigious Leahy award and a Fellow of ARMA International. She has been widely published in academic journals and speaks frequently for industry organizations such as AIIM, ARMA International, ILTA, IQPC and Cohasset Associates/MER. She received the NJBIZ: Best 50 Women in Business Award in April 2010.

(Article originally published on Corporate Compliance Insites by Maurice Gilbert, December 08, 2016)